Security Research
cancel

HPE Security Fortify Software Security Content 2017 Update 1

HPE Security Fortify Software Security Content 2017 Update 1

Security_Guest

small logo.PNGHPE Security Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to HPE Security Fortify Secure Coding Rulepacks (English language, version 2017.1.0), HPE Security Fortify WebInspect SecureBase (available via SmartUpdate), HPE Security Fortify Application Defender, and HPE Security Fortify Premium Content. Reference the release announcement for all the details.


HPE Security Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 751 unique categories of vulnerabilities across 24 programming languages and span over 860,000 individual APIs. In summary, the release includes rules enhancement and support for the following:

.NET TAP[i] and Entity Framework 6

  • Coverage of all supported .NET vulnerability categories which pass data through Task-based Asynchronous Pattern (TAP) constructs
  • Coverage for Entity Framework 6 and extended coverage for the Web.* namespaces in .NET 4.6.2 (extended support covers 12 existing categories and a new category, Insecure Transport: Database)

Swift 3[ii]

  • Coverage for all SDK changes introduced in Swift 2.3, to account for renamed APIs and variables

iOS enhancements[iii]

  • Detection of the new vulnerability category Predicate Injection
  • Detection of four new vulnerability categories for authentication bad practices related to NSURLConnection and NSURLSession

Apex[iv]

  • Detection of eight vulnerability categories in applications written for the Salesforce platform

AngularJS[v]

  • Coverage of 15 vulnerability categories for AngularJS1.x core APIs with the ability to track malicious data through the Model-View-ViewModel (MVVM) architecture

Underscore.js

  • Following malicious data through the library’s utility functions for detection of both Client-Side Template Injection and Server-Side Template Injection categories

Formula Injection

  • Detection of untrusted data used in CSV, TSV, or spreadsheet files that can lead to Formula Injection vulnerabilities across Java and .NET native APIs as well as several third-party libraries

DISA STIG 4.2

  • Correlation of the HPE Security Fortify Taxonomy to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.2 to simplify federal customer compliance.


HPE Security Fortify SecureBase [
Fortify WebInspect
]
HPE SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability support

  • Insecure Swagger Specifications[vi]
  • Struts 2 OGNL Expression Injection (S2-045, S2-046[vii]), including a newly added attack vector.
  • SSLv3/TLS Renegotiation Stream Injection Enhancement including vulnerable server configuration[viii]
  • XSS Enhancement for new attack vectors[ix]

New policies

Introduction of two new policies to support workflows in new DevOps process implementations:

  • Client-side policy
  • Server-side policy

Compliance report

  • DISA STIG 4.2 Compliance Template.


HPE Security Fortify Application Defender

HPE Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the HPE Security Fortify Software Security Research team provides the following feature improvements:

New protection for zero-day Struts2 S2-045 OGNL Injection

  • New protection rule, Malformed Request: Bad Content-Type, for detecting and blocking Struts2 S2-045 (CVE-2017-5638)

Jetty application server

  • RTAP and RTAL rulepack kits support for Jetty application server

Enhancements

  • Improved accuracy for Cross-Site Scripting and SQL Injection signatures.


HPE Security Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

DISA STIG 4.2 report

  • New SSC report bundle providing support for DISA STIG 4.2, to accompany the new correlation in this release.

HPE Security Fortify Taxonomy: Software Security Errors

  • The HPE Security Fortify Taxonomy site, containing descriptions for newly added category support, is available at https://vulncat.fortify.com and https://vulncat.hpefod.com.
  • Customers looking for the legacy site, with the last supported update, may obtain it from the HPE Security Fortify Support Portal.


Reference the release announcement for all the details.
 We hope that you continue to find our products helpful and we welcome any feedback. If you have any questions, please don’t hesitate to contact me.

Alexander M. Hoole
Manager, Software Security Research
HPE Security Fortify
hoole@hpe.com
+1 (650)265-5296

hpe.com/software/ssr
---------------------------

[i] TAP Syntax support requires HPE Security Fortify SCA 17.10 or newer.

[ii] Requires HPE Security Fortify SCA 17.10 or newer.

[iii] Requires HPE Security Fortify SCA 16.10 or newer.

[iv] Requires HPE Security Fortify SCA 17.10 or newer.

[v] Requires HPE Security Fortify SCA 17.10 or newer and JavaScript to be enabled as a language using higher order analysis for analysis and DOM modelling enabled during translation.

[vi] Requires HPE Security Fortify WebInspect 17.10 or newer.

[vii] Detecting the new attack vector requires HPE Security Fortify WebInspect 17.10 or newer.

[viii] Requires HPE Security Fortify WebInspect 17.10 or newer.

[ix] Requires HPE Security Fortify WebInspect 17.10 or newer.

  • Threat intelligence
0 Kudos
About the Author

Security_Guest

Labels
//Add this to "OnDomLoad" event